Detection and Classification of Network Intrusions Using Hidden Markov Models

S. Radosavac and J.S. Baras

37th Conference on Information Sciences and Systems (CISS), Johns Hopkins University, Baltimore, Maryland, March 12-14, 2003

Abstract

This paper demonstrates that it is possible to model attacks with a low number of states and classify them using Hidden Markov Models with very low False Alarm rate and very few False Negatives. We also show that the models developed can be used for both detection and classification. We put emphasis on detection and classification of network intrusions and attacks using Hidden Markov Models and training on anomalous sequences. We test several algorithms, apply different rules for classification and evaluate the relative performance of these. Several of the attack examples presented exploit buffer overflow vulnerabilities, due to availability of data for such attacks. We emphasize that the purpose of our algorithms is not only the detection and classification of buffer overflows; they are designed for detecting and classifying a broad range of attacks.